The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 28

Tuesday 12 August 2008

Contents

Internet attacks against Georgian web sites
Gadi Evron
Gadi Evron
Russia/Georgia: Tanks, Bombers, Keyboards
Edward Rice
Patch for Web Security Hole Has Some Leaks of Its Own
John Markoff via PGN
MIT Students Gagged by Federal Court Judge
EFF via David Farber
CloudAV
Rob Slade
Two on-line travel booking risks
Chris Drewe
'Fakeproof' microchipped British e-passport ...
Lars Poulsen
Re: Unsuspected travelers' laptops may be detained ...
Steven M. Bellovin
R. G. Newbury
Re: GPS causes nightmare vacation
Fernando Pereira
Re: How reliable is DNA ...?
Michael Black
Steve Schafer
Re: Neglecting to logout from Skype ...
Al Macintyre
Info on RISKS (comp.risks)

Internet attacks against Georgian web sites

<Gadi Evron <ge@linuxbox.org>>
Mon, 11 Aug 2008 01:37:59 -0500 (CDT)

In recent days, news and government Web sites in Georgia suffered DDoS
attacks. While these attacks seem to affect the Georgian Internet, it is
still there.

Facts:
1. There are botnet attacks against .ge websites.
2. These attacks affect the .ge Internet infrastructure, but it's reachable.
3. It doesn't seem Internet infrastructure is directly attacked.
4. Every other political tension in the past 10 years, from a comic of the

Prophet Muhammad to the war in Iraq, were followed by online supporters
attacking targets which seem affiliated with the opposing side, and
vice-versa.

Up to the Estonian war, such attacks would be called "hacker enthusiast
attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a
political nature seems to get the "information warfare" tag. When 300
Lithuanian web sites were defaced last month, "cyber war" was the buzzword.

Running security for the Israeli government Internet operation and later the
Israeli government CERT such attacks were routine, and just by speaking on
them in the local news outlets I started bigger so-called "wars" when
enthusiasts responded in the story comments and then attacks the "other
side".

Not every fighting is warfare. While Georgia is obviously under a DDoS
attacks and it is political in nature, it doesn't so far seem different than
any other online after-math by fans. Political tensions are always followed
by online attacks by sympathizers.

Could this somehow be indirect Russian action? Yes, but considering Russia
is past playing nice and uses real bombs, they could have attacked more
strategic targets or eliminated the infrastructure kinetically.

Coulda, shoulda -- the nature of what's going on isn't clear, but until we
are certain anything state-sponsored is happening on the Internet it is my
official opinion this is not warfare, but just some unaffiliated attacks by
Russian hackers and/or some rioting by enthusiastic Russian supporters.

It is too early to say for sure what this is and who is behind it.

The RBN blog (following the Russian Business Network) is of a different
opinion:
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare.html
and:
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-2-sat-16-00.html

Also, Renesys has been following the situation and provides with some
data:
http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml

(Thanks to Paul Ferguson for the URLs)

DDoS attacks harm the Internet itself rather than just this or that web
site, so soon this may require some of us in the Internet security
operations community getting involved in mitigating the attacks, if they
don't just drop on their own.

Gadi Evron.

["You don't need your firewalls! Gadi is Israel's firewall."
   -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant
   General, Israel's Ministry of Finance, at the government's CIO
   conference, 2005.
   (after two very funny self-deprecation quotes, time to even things up!)]

http://www.linkedin.com/in/gadievron

  [There were a lot of lessons that should have been learned from the
  Estonian DDoS attacks that still remain to be learned.  PGN]


Internet attacks against Georgian web sites

<Gadi Evron <ge@linuxbox.org>>
Tue, 12 Aug 2008 16:06:59 -0500 (CDT)

This is an update of my previous post on the subject.

To be honest here, no one truly knows what's going on in Georgia's Internet
except for what can be glimpsed from outside, and what has been written by
the Georgians on their blog
(http://georgiamfa.blogspot.com/2008/08/cyber-attacks-disable-georgian-websites.html
outside their country). They are probably a bit busy avoiding kinetic
bombing.

As mentioned in the previous post, Renesys has been following the Georgian
links, which seem to be there, but occasionally drop due to possibly power
failures. Renesys URL here:
http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml

Shadowserver and others have been following the botnets attacking the
Georgians web sites, and that is confirmed as happening. Shadowserver was
quoted, here:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112399&intsrc=hm_list

According to Dancho Danchev, there have also been some defacements, which
he describes here, along with other conclusions I don't necessarily agree
with: http://blogs.zdnet.com/security/?p=1670

So--it is clear their web sites are under attack, and that Internet
visibility-wise, the impact is real for the Georgians. And yet, it is simply
too early and there is not enough information to call this an Internet
war. It is too early to establish motive or who the perpetrator is, however
much we may want to point fingers.

Following every and any political or ethnic tension, world-wide, an online
aftermath comes, in the form of attacks, defacements, and enthusiast hackers
swearing at the other side (which soon does the same, back).

While Georgia's suffering is real, such attacks are nothing but routine here
in Israel. When I ran the defense for the Israeli government Internet
operation and then the Israeli government CERT, such attacks would occur
daily. Hackers on the other side would band together, talk, coordinate a
date, exchange tools, and attack.

While I apologize for the analogy, post-9/11 Israelis were shocked. We were
sympathizing and crying for the victims. What we did not understand was why
people were still shocked ten minutes past, as this was a normal every-day
life happening for us over here. The same applies for cyber-space, the
Internet--we are used to this.

The difference in this attack was that the Georgian authorities, like
numerous others around the world still aren't, were not prepared to face
and fend against such an attack.

In my article "Fighting Botnets and Online Mobs" for the Georgetown
Journal of International Affairs covering the Internet war in Estonia, I
state how our opponents will no longer be just countries, or even
organizations as Martin van Creveld once predicted ahead of his time, but
that on the Internet playing field any individual or loosely affiliated
group can be a player, affecting countries and yes, corporations as well.
My article can be found here:
http://www.ciaonet.org/journals/gjia/v9i1/0000699.pdf

The best article describing the events so far is by John Markoff at *The New
York Times*.
  http://www.nytimes.com/2008/08/13/technology/13cyber.html?em

Gadi Evron.


Russia/Georgia: Tanks, Bombers, Keyboards

<Edward Rice <ehrice@his.com>>
Sat, 9 Aug 2008 03:40:47 -0400

*The New York Times* reports that in the "hot war" currently going on
between Russia and Georgia, cyberwarfare appears to have broken out as well:

> Neither side showed any indication of backing down. Prime Minister
> Vladimir V. Putin of Russia declared that "war has started," and President
> Mikheil Saakashvili of Georgia accused Russia of a "well-planned invasion"
> and mobilized Georgia's military reserves.  There were signs as well of a
> cyberwarfare campaign, as Georgian government Web sites were crashing
> intermittently during the day.

<http://www.nytimes.com/2008/08/09/world/europe/09georgia.html>


Patch for Web Security Hole Has Some Leaks of Its Own

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 12 Aug 2008 14:30:37 PDT

Evgeniy Polyakov has demonstrated that the emergency patch to the Domain
Name System for the vulnerability noted by Dan Kaminsky (RISKS-25.25) is
itself flawed and relatively easily exploited.  [Source: John Markoff, *The
New York Times*, 9 Aug 2008, B1 (National Edition); PGN-ed]


[IP] MIT Students Gagged by Federal Court Judge

<David Farber <dave@farber.net>>
Sat, 9 Aug 2008 17:21:27 -0400

Bad decision by the Judge djf

  [Boston's Charlie Card vulnerability.  Note that the student's paper
  explicitly does not reveal the key details of the vulnerability.
  Another example of shooting the messenger rather than getting to the
  root of the problems.  PGN]

Begin forwarded message:

From: EFF Press <press@eff.org>
Date: August 9, 2008 5:14:30 PM EDT
To: presslist@eff.org
Subject: [E-B] EFF: MIT Students Gagged by Federal Court Judge
Reply-To: press@eff.org

Electronic Frontier Foundation Media Release

For Immediate Release: Saturday, August 09, 2008

Contact:

Jennifer Stisa Granick
   Civil Liberties Director
   Electronic Frontier Foundation
   jennifer@eff.org
   +1 415 271-4879

Marcia Hofmann
   Staff Attorney
   Electronic Frontier Foundation
   marcia@eff.org
   +1 415 436-9333 x116

Rebecca Jeschke
   Media Coordinator
   Electronic Frontier Foundation
   press@eff.org
   +1 415 436-9333 x125

MIT Students Gagged by Federal Court Judge

EFF Backs Researchers Forced to Cancel Presentation on
Transit Fare Payment System

Las Vegas - Three students at the Massachusetts Institute of Technology
(MIT) were ordered this morning by a federal court judge to cancel their
scheduled presentation about vulnerabilities in Boston's transit fare
payment system, violating their First Amendment right to discuss their
important research.

The Electronic Frontier Foundation (EFF) represents Zack Anderson, RJ Ryan
and Alessandro Chiesa, who were set to present their findings Sunday at
DEFCON, a security conference held in Las Vegas.  However, the Massachusetts
Bay Transit Authority (MBTA) sued the students and MIT in United States
District Court in Massachusetts on Friday, claiming that the students
violated the Computer Fraud and Abuse Act (CFAA) by delivering information
to conference attendees that could be used to defraud the MBTA of transit
fares.  This morning District Judge Douglas P. Woodlock, meeting in a
special Saturday session, ordered the trio not to disclose for ten days any
information that could be used by others to get free subway rides.

"We wanted to share our academic work with the security community and had
planned to withhold a key detail of our results so that a malicious attacker
could not use our research for fraudulent purposes," said Anderson.  "We're
disappointed that the court is preventing us from presenting our findings
even with this safeguard."

Vulnerabilities in magnetic stripe and RFID card payment systems implemented
by many urban transit systems are generally known. The student research
applied this information to the specific case of Boston's Charlie Card and
Charlie Ticket, and the project earned an A from renowned computer scientist
and MIT professor Dr. Ron Rivest.

The court relied on a federal law aimed at computer intrusions in issuing
its order, holding that even discussing the flaws at a public conference
constituted a "transmission" of a computer program that could harm the fare
collection system.

"The court's order is an illegal prior restraint on legitimate academic
research in violation of the First Amendment," said EFF Civil Liberties
Director Jennifer Granick.  "The court has adopted an interpretation of the
statute that is blatantly unconstitutional, equating discussion in a public
forum with computer intrusion.  Security and the public interest benefit
immensely from the free flow of ideas and information on
vulnerabilities. More importantly, squelching research and scientific
discussion won't stop the attackers.  It will just stop the public from
knowing that these systems are vulnerable and from pressuring the companies
that develop and implement them to fix security holes."

This case is part of EFF's Coders' Rights Project, launched just this week
to protect programmers and developers from legal threats hampering their
cutting-edge research.  EFF will seek relief for the researchers in the
courts.

For the full temporary restraining order:
http://www.eff.org/files/filenode/MIT%20students%20TRO.pdf

For more on the Coders' Rights Project:
http://www.eff.org/issues/coders

For this release:
http://www.eff.org/press/archives/2008/08/09

About EFF

The Electronic Frontier Foundation is the leading civil liberties
organization working to protect rights in the digital world. Founded in
1990, EFF actively encourages and challenges industry and government to
support free expression and privacy online. EFF is a member-supported
organization and maintains one of the most linked-to websites in the world
at http://www.eff.org/


CloudAV

<Rob Slade <rMslade@shaw.ca>>
Mon, 11 Aug 2008 11:27:22 -0800

A few media sources seem to be picking up a press release from the
University of Michigan.

http://www.ns.umich.edu/htdocs/releases/story.php?id=6666

This reports on "CloudAV," a project and series of papers about having
antivirus detection run "in the cloud" rather than on the PC.

http://www.eecs.umich.edu/fjgroup/cloudav/

As usual, there seems to be some misunderstanding about what is going on
here.  CloudAV is not really a new approach, it is simply the use of
multiple scanners, which the AV research community has advocated for years.
It's like having a bunch of scanners installed on your desktop, or a system
like Virustotal, with the exception that the scanners run on different
computers so you get a bit of performance advantage (absent the bandwidth
lag/drain for submitting files to multiple systems).

rslade@vcn.bc.ca  rslade@computercrime.org  victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/


Two on-line travel booking risks

<"Chris Drewe" <e767pmk@yahoo.co.uk>>
Sun, 10 Aug 2008 18:18:12 +0100

Here are two items from the readers' queries feature in the travel section
of the weekend newspaper recently (don't know if they're in the on-line
version, but it's http://www.telegraph.co.uk/travelexperts , Aug 2 & 9):

* A reader wrote about booking 3 air tickets on-line for himself and two
  other people via the airline's web site, and ended up with three tickets
  with his own name on them, which cost a small fortune to correct.  This
  was suggested as being due to the `autofill' function of his web browser
  (it didn't say which one), and also returning to a previous stage of the
  booking process with the browser back arrow rather than the `Back' link on
  the web page.  The airline was quoted as saying that it can't disable or
  detect this as an error (unlike, say, an empty name field), so it's the
  customers' responsibility to check when entering data.

* In the UK, passports last for 10 years, but they can be renewed slightly
  before they expire, with the unused period transferred to the new one
  (thus allowing you to renew your passport in good time without losing part
  of its validity period), hence it's possible to have a passport with an
  expiry date just over 10 years in the future.  A reader comments that the
  US Electronic System for Travel Authorisation application site at
  https://esta.cbp.dhs.gov didn't accept his passport because it was valid
  for more than 10 years.  Response was that the Department for Homeland
  Security claims to have fixed this, but as the on-line permit is
  compulsory from next year, it may be something to be aware of.


'Fakeproof' microchipped British e-passport ... (Thomas, RISKS-25.26)

<Lars Poulsen <lars@beagle-ears.com>>
Sun, 10 Aug 2008 06:49:01 -0700

I have been watching with increasing puzzlement the security theater about
"electronic passports", and I still cannot figure out what it is that the
system is supposed to accomplish. It seems to me that it is going backwards.

Indeed, the world has changed since the traditional passport system was
established. The traditional passport relies on "secure paper" technology:
Textile paper with watermarks was considered to be too difficult to
fake. Modern printers can create something that looks close enough to fool a
quick look.

It seems to me that the response to this would be to take advantage of
Internet technology: One should no longer trust the passport, but use only
the embedded barcode or OCR digit string to furnish a record identifier and
then pull the passport information from the issuing agency's database. Then
a forged paper passport would be worthless at border crossings.

Instead, we have replaced the reliance on "secure paper" with a reliance on
"secure silicon", even though it should be obvious to anyone that a writable
memory chip can be reprogrammed in the field ... indeed the standard method
of deployment of the genuine instrument relies on this property. Any digital
signing on the chip to ensure that it has not been altered requires a
functioning network link to the issuer's database. And with that link, the
chip is unnecessary.

I know that I am not so smart that I have figured out something that all the
experts have overlooked, so I must be missing something critical. What have
I overlooked?

Lars Poulsen, Afar Communications Inc


Re: Unsuspected travelers' laptops may be detained ... (RISKS-25.16)

<"Steven M. Bellovin" <smb@cs.columbia.edu>>
Mon, 11 Aug 2008 15:59:44 -0400

It's worth noting -- repeating, actually -- that border searches of laptops
are not restricted to the US.  See, for example,
http://news.bbc.co.uk/1/hi/sci/tech/150465.stm which reports on British
policy.  Also note the date: 1998.  I have a different question: which
developed economies have explicit policies saying that they will not search
(the information on) laptops?

Steve Bellovin, http://www.cs.columbia.edu/~smb


Re: Unsuspected travelers' laptops may be detained... (RISKS-25.16)

<"R. G. Newbury" <newbury@mandamus.org>>
Sat, 09 Aug 2008 21:05:58 -0400

The worst features of this are that IF you have done the smart thing and
used strong encryption to protect your data, the Customs agent will be MORE
likely to take away your entire laptop for examination... and he will take
your entire laptop, not just the hard drive out of it.

In effect, you have no Fourth or Fifth Amendment rights when crossing the
border into the US. Must scare the living bejusus out of most corporate
counsel and CIO guys.

As for me, the next time I cross the border with my laptop, it will have an
entirely brand spanking new Fedora install on the laptop's original (small)
hard drive with not one single piece of important data.


Re: GPS causes nightmare vacation

<Fernando Pereira <pereira@cis.upenn.edu>>
Fri, 8 Aug 2008 20:39:11 -0700

GPS caused nothing there, no computer risks involved. The risk is for people
travel in wild places with no clue about what they are about to
experience. They blamed the GPS because they had to to find an excuse for
their ignorance and stupidity. They were lucky that they got away with just
embarrassment, others with a similar attitude have paid with their life.


Re: How reliable is DNA ...? (Schaefer, RISKS-25.27)

<"Michael Black" <mdblack98@yahoo.com>>
Sat, 9 Aug 2008 08:40:24 -0500

I've long been a critic of DNA matches -- seems it's always being presented
as an almost "sure thing".  I always said that when the database got large
enough they'd start having problems.

Well, a recent article has caused me to analyze the probabilities.  It's
quite eye-opening when you understand how it really works.

You always hear of one-in-million or billion chances but it would seem, by
simple analysis, that this is not true, and would certainly explain why the
FBI is fighting against people being able to do studies such as are quoted
in this article.  But you really don't need to do any studies.  That
statistics are pretty simple.

For those of you who are computer-wise, DNA matching is apparently a binary
coded system.  "9 loci" matches are frequently used to find matches.
I don't know where the numbers come from that I hear in the court
cases...but this is how it quite apparently works.  As the article below
pointed out -- they found 122 matches in the Arizona database of 65,000
where there was a 9-loci or more match.  This very closely matches the
following table that I calculated based on simple binary probabilities
showing # of loci, cumulative probability, and resulting number of average
matches expected at each loci match level:
1   0,5	      32500
2   0,25       8125
3   0,125      4063
4   0,0625     2031
5   0,03125    1016
6   0,015625    508
7   0,007813    254
8   0,003906    127
9   0,001953     63
10  0,000977     32
11  0,000488     16
12  0,000244      8

9 loci or better" numbers gives you 63 likely matches -- The 122 in the
study may well be due to the lack of independence -- e.g.. relatives and the
distribution of the actual DNA samples (which one would have to do a study
to find out).

Given the current U.S. population of 305 million then, how many matches
would there be in the U.S.?  At 9 loci or more you would expect 595,703
matches.  Proof beyond doubt?  Hardly.  At 12 loci it would be 74,463 and at
13 loci 37,231.

This is why DNA evidence alone is NOT a sure thing and should never be used
as the sole evidence in a case.  So the next question would be -- if I
already have a suspect and his DNA matches -- how good is that?  That
question is simply, "what are the odds that a specific DNA sample will match
somebody else in the database?"  For the U.S. population that turns out to
be 1-in-546 or a 99.82% match at 9 loci and 1-in-8192 at 12 loci or a 99.99%
match.  As a juror I don't think I would see much difference between 99.82%
and 99.9988%.  And stating it as 1-in-8192 puts a whole different spin on
99.99%.

DNA can be used to EXCLUDE beyond any doubt.  But it cannot be used to
INCLUDE beyond any doubt.  Question being what is "reasonable doubt"
statistically?  As a defense lawyer you might be able to say "in this city
of 65,000 alone there are approximately 122 people with the same DNA profile
as my client" -- that would be the 9-loci case -- or "8 people' at 12 loci.
That sounds like reasonable doubt to me and would make me completely
discount the DNA evidence.  Without other supporting evidence I would never
convict somebody on DNA alone.


Re: How reliable is DNA ...? (Schaefer, RISKS-25.27)

<Steve Schafer <steve@fenestra.com>>
Sat, 09 Aug 2008 08:39:05 -0400

The controversy arises here because this situation is analogous to the well
known Birthday Problem (sometimes called the Birthday Paradox), which is the
difference between the following two questions:

Q1: How many people do I have to invite to a party before the probability
that two of the guests have the same birthday exceeds 99%?

A1: 57.

Q2: How many people do I have to invite to a party before the probability
that one of the guests has the same birthday as me exceeds 99%?

A2: 1679.

Another way to look at it: If I invite 57 people to my party, there is a 99%
chance that two guests will have the same birthday, but a less than 15%
chance that one of the guests will have the same birthday as me.

* From the description in the news stories, Troyer was asking question 1.
  During criminal investigations, investigators ask question 2.


Re: Neglecting to logout from Skype ... (RISKS-25.27)

<Al Macintyre <macwheel99@wowway.com>>
Sat, 09 Aug 2008 16:25:43 -0500

In our travels, work, school, home, we may have need of multiple different
locations from which to access various Internet services, but probably not
simultaneously.

Those different PCs can often have different default settings and
configurations.

I recently was working in part of the flooded Midwest, where many business
sites without phones, fax, Internet service etc. so I was using computer at
motel to catch up on e-mail etc.  The computer in hotel lobby was shared by
200 hotel room guests, on first come first served basis.

Important to log out each day, maybe change password daily, because unknown
what gets saved on that PC cache.  I found where one guest had created a
folder with particulars about managing their bank accounts, still logged
on. Every guest could access every other guest stuff because it was one
password for all of us.  I figure this kind of infrastructure is magnet for
spyware.

For decades in offices where people share some network of data bases, it has
been productive to concurrently open multiple sessions ... some updating or
entering data, others inquiring into various aspects of the data entry, more
related to coping with interruptions.  It is nice that at an instant's need,
yet another session can be opened to look at the data a different way or to
pursue a different interest.  But at end of day, time to go home, it is also
easy to forget about a session opened hours ago & interrupted by
interruptions forgot it was open.  This could be at one workstation with 8
sessions open, or multiple work stations, as some persons patrolled a
building, dealing with situations, signing onto the most convenient
location.

I railed without success at the network configurators to add an icon showing
number of sessions you are currently signed on at, a number you want to wind
down to zero when you done for the day.

Please report problems with the web pages to the maintainer

Top